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An Assessment of ISMS Process Maturity based on 
Readiness and Awareness of team members of 
selected IT Organizations 


Abstract 


The growth of computers and of information technology has been explosive. As a result, 
information technology has been widely applied in every aspect of our life—from business, 
government, education, finance, health-care, aerospace to national defence. Computers, 
especially networked computers, have brought benefits to us and improved our lives. However, 
surveys and reports from various industry associations and security organizations suggested that 
only a few organizations can successfully protect their information assets. Organizations realize 
that information security is a complex issue, involving both human and technical factors. This 
paper is an attempt to empirically assess the maturity of Information Security Management 
System (ISMS) implementation in selected IT Service organizations in terms of confidence of 


their employees on their Information Security Management System. 
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Introduction 


The growth of computers and of information technology has been explosive. As a result, 
information technology has been widely applied in every aspect of our life—from business, 
government, education, finance, health-care, aerospace to national defence. Computers, 
especially networked computers, have brought benefits to us and improved our lives. However, 
surveys and reports from various industry associations and security organizations suggested that 
only a few organizations can successfully protect their information assets. Organizations realize 
that information security is a complex issue, involving both human and technical factors. 
Experience indicates that technology cannot provide all the answers to the security problems 
posed by people in the context of ISM. According to the CSI/FBI survey report, 89% 


organizations have firewalls and 60% use IDs, and yet 40% reported system intrusion from 
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outside of the organization (Power, 2002). This report also revealed that although 90% of 


organizations used anti-virus software, 85% were still hit by viruses, worms, etc. 


To protect organizational information assets, many different information security standards and 
guidelines have been published. The two major sources for information security standards and 
guidelines are professional societies and the U.S. federal government. Generally Accepted 
System Security Principles (GASSP), for example, is a joint international effort between 10 
countries worldwide to develop a set of rules, practices, and procedures to achieve information 
integrity, availability, and confidentiality. Federal Information Processing Standards 
Publications (FIPs PUBs) provide guidelines that are mandatory for government agencies, but 
optional for the private sector. The newly released international standard ISO17799 was aimed 


to provide a suitable model for information security management (ISM). 


Unfortunately, the current information security measurement criteria and practices are 
inconsistent and very confusing, which can be misleading to practitioners. Moreover, current 
concepts in the field of ISM are based largely on case studies, anecdotal evidence and the 
prescription of industry “leaders”. There is little consensus on which information security 
objectives should be achieved, which practices are critical to successful security initiatives, and 


what are the relationships between the “best practices” and information security objectives. 


In order to effectively manage information security, the following fundamental issues must be 


addressed: 


1. What is information security? 

2. What are the objectives of information security and how is information security 
measured? 

3. What kind of programs or practices can an organization implement to achieve these 
security objectives? 

4. What management practices are perceived as critical by information technology 
professionals? 

5. What are the underlying relationships between information security objectives and 


information security practices? 
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6. Specifically, which particular practice contributes to which specific security objective? 


7. The lack of an existing framework to aid practitioners in implementing ISM practices. 


Answers to these issues have practical implications given the importance of information security. 
Surprisingly, to our knowledge, there has been no scientific study conducted on synthesizing 
security management practices and mapping the relationships between these practices with 
information security objectives. For example, current frameworks such as ISO 17799/BS 7799, 


GASSP, ISO 13335, have not been validated by empirical research. 


The purpose of this white paper is to make an attempt to empirically assess the maturity of 
Information Security Management System (ISMS) implementation in selected IT Service 
organizations in terms of confidence of their employees on their Information Security 


Management System. 


Assessment based on Employee Confidence 


Employees of an organization or members of any team are the true face of their internal strengths 
as well as weaknesses, doesn’t matter someone accepts them or not. Relying on this management 
and psychological factor, we made attempt to conduct a survey about readiness and awareness of 
policies and processes related to Information Security Management System of selected sample 


organization. 


Assessment foundation 


The assessment is carried out based on the response of randomly selected employees of a set of 
IT organizations on a given set of nine point questionnaire where the response on each point of 
the questionnaire is captured on four options interface. This interface is formed with the 


following four options: 


1. Strongly Disagree 
2. Disagree 

3. Agree 

4. Strongly Agree 
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The nine points of the questionnaire are as follows: 


1. There exists a customer driven or customer influenced culture in our organization. 

2. We have been trained on and we understand value additions to the customer through 
each of our services or work products. 

3. Relevant metrics are been defined and used for measurement of quantity and quality of 
our services or work products. 

4. The delivery and support processes are being adequately defined in our organization. 

5. A common set of service support and delivery terminology is accepted and used across 
our organization (may be through some standard templates etc.). 

6. Continuous improvement in our services or work products or delivery processes exists 
in culture of our organization. 

7. The organization follows a culture of clearly defining the Roles and Responsibilities of 
all team members for any project or task. 

8. Work items are clearly prioritized for their importance to accomplish in the projects. 

9. Service/Work Support processes and policies of the organization are well documented 


and maintained with easy access for reference as and when required. 
Survey Responses 


There exists a customer driven or customer 
influenced culture in our organization. 





1-Strongly Disagree 1 3.33% 

MStronely Disagree 
2-Disagree 4 13.33% sisisacrer 
3-Agree 22 73.33% m Agree 

Strongly Agree 
4-Strongly Agree 3 10.00% —— 
Totals 30 100% 
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We have been trained on and we 
additions to the 
customer through each of our services or 


understand value 


work products. 


1-Strongly Disagree O 0.00% 
2-Disagree 10 33.33% 
3-Agree 20 66.67% 
4-Strongly Agree O 0.00% 
Totals 30 100% 


Relevant metrics are been defined and 
used for measurement of quantity and 
quality of our services or work products. 


1-Strongly Disagree 3 10.00% 
2-Disagree 17 56.67% 
3-Agree 9 30.00% 
4-Strongly Agree 1 3.33% 
Totals 30 100% 


The delivery and support processes are 
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MW Strongly Disagree 


w Disagree 





WM Agree 





MW Strongly Agree 





WStronely Disagree 


mw Disagree 





MW Agree 


MW Stronely Agree 





being adequately defined in our 
organization. 
1-Strongly Disagree 1 3.33% eee ee 
mw Disagree 

2-Disagree 11 36.67% m Agree 
3-Agree 17 56.67% mstrongly Agree 
4-Strongly Agree 1 3.33% 
Totals 30 100% 
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A common set of service support and 
delivery terminology is accepted and used 
across our organization (may be through 
some standard templates etc.). 


1-Strongly Disagree 4 13.33% 


2-Disagree 21 70.00% 
3-Agree 4 13.33% 
4-Strongly Agree 1 3.33% 
Totals 30 100% 


Continuous improvement in our services or 
work products or delivery processes exists 
in culture of our organization. 


“1-Strongly Disagree ssid 3.33% 
2-Disagree 11 36.67% 
3-Agree 17 56.67% 
4-Strongly Agree 1 3.33% 
Totals 30 100% 


Organization has a culture of clearly 
defining the Roles and Responsibilities of 
all team members for any project or task. 


“1-Strongly Disagree = 2 6.67%. 
2-Disagree 14 46.67% 
3-Agree 12 40.00% 
4-Strongly Agree 2 6.67% 
Totals 30 100% 
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@ Strongly Disagree 
mw Disagree 
WM Agree 


M@ Strongly Agree 


@Stronely Disagree 
mw Disagree 
WaAgree 


@ Strongly Agree 


WM Stronely Disagree 
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Work items are clearly prioritized for their 
importance to accomplish in the projects. 








2-Disagree 6 20.00% se 
3-Agree 19 63.33% m Agree 
4-Strongly Agree 2 6.67% eee 
Totals 30 100% 


Service/Work Support processes and 
policies of the organization are well 
documented and maintained with easy 





access for reference as and when required. Mm Strongly Disagree 





“1-Strongly Disagree 1 3.33% — 
2-Disagree 16 53.33% ee 
3-Agree 12 40.00% 
4-Strongly Agree 1 3.33% 

Totals 30 100% 


Analysis and Recommendations 


The Readiness and Awareness assessment of ISMS policies and implementation in selected IT 
Service Organizations are showing the overall security falls slightly above the midpoint (2.50) on 
the readiness and awareness scale. Out of the selected nine points of the questionnaire, five 
points are above the center whereas the other four are below the center. This should also be noted 
that none of the point could score the responses towards the highest or lowest ends of the four 
point scale. Overall the responses are found to be balanced which in fact shows the presence of a 
base upon which an information security culture can be formed and the maturity can be attained 


or increased. 
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Looking into the responses provide by the participants, it can be seen that a fairly good 
acceptance is captured for presence of customer driven culture. More than three fourth of 
participants have rated either “agreed” or “strongly agreed” for presence of customer driven 
culture in their organization. According to management experts, the customer focus is usually 
considered beneficial for sustenance of business and success of organizations for better ISMS 
practices because while awarding any projects or work items to a company, the customer acts as 


an external and more concerned party for effectiveness of ISMS. 


On the other side, the least score is found for acceptance of common set of service support and 
delivery terminology across the organization. It is found that more than three fourth of 
participants have rated either “Disagreed” or “Strongly Disagreed” if a common set of 
terminologies are accepted and used across organization. This in fact can be a risk in 
understanding of scope, processes, and other knowledge important for acceptance and 


implementation of ISMS in the organization. 
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